Hacking Threats Growing in Work-From-Home Era, Fear CISOs

The Covid-19 era of forcible remote working is creating new threats and vulnerabilities in banks’ IT infrastructures – and new bad actors to exploit them, information security experts fear.

The coronavirus pandemic has forced most major US and European financial firms to embrace remote working for the vast majority of their staff. That has made it far more difficult for surveillance teams within banks to monitor data for suspicious or unusual activity, and root out behaviour that poses a potential threat, according to Rowland Johnson, director at CREST, the UK central securities depository. Historical datasets that help teams understand what a typical day’s behaviour looks like have become outmoded, he said during a June 30 panel debate on penetration testing in the coronavirus era, as part of Risk Live Virtual Week.

“An organisation might have been set up [with the expectation that] X percent of people would have worked between the hours of 9am and 5pm, they would have been in the office, [their activity] would have come from trusted internet protocols, and so forth. Post-Covid, all bets are off. There are people working extended hours – maybe into the night. They are not coming from trusted IPs. And as a result, the data [that] organisations have captured over the last however many years is not helping at this moment,” said Johnson.

Penetration testing, which leans heavily on the kind of data Johnson described, refers to the family of approaches firms use to evaluate their infrastructural vulnerabilities in a bid to thwart hackers. Banks deploy a huge amount of resources on such methods, using techniques such as clandestine ‘red-teaming’, where a group within the company – the red team – will launch a targeted attack on an application or service.

Red-teaming is a test of a firm’s staff as much as its cyber defences. Often, the blue team – the group tasked with repelling cyber threats – won’t know that a red-team exercise is being planned, and must react to the threat on the fly. It was harder, Johnson suggested, for blue teams to identify threat actors – whether internal red teams or real hackers – because of this lack of observed normal behaviour.

Beyond the risks engendered by new ways of working, the virus’s second-order impacts – a global recession and the likely redundancy of a large number of employees – could dangerously exacerbate these threats, some fear.

Post-Covid, all bets are off. There are people working extended hours – maybe into the night. They are not coming from trusted IPs

Rowland Johnson, CREST

In a Risk.net poll taken during the debate, half of those surveyed cited the vulnerabilities created by changes to working practices as their biggest worry when it came to coronavirus-related cyber threats. This was followed by a growth in impoverished nations financing cyber theft as a means to earn money. And third, the creation of fresh insider threats from disgruntled employees, perhaps those placed on furlough or at risk of redundancy.

Other panellists said policy changes with respect to physical infrastructure could also cause problems. Cameron ‘Buck’ Rogers, global head of resilience risk at HSBC, added that steps taken by some firms to help staff become more comfortable in the home office – the issuance of key equipment, for example – could come back to bite them. One company had rolled out “30,000 desktops” to their offshore centres, he suggested – a move that could pose a dilemma once staff began returning to their regular offices in the coming months.

“What are you going to do? Are you going to let the person take the desktop back into the office with them?” he asked. “Are you going to wipe them all – and there’s a cost to that – because they’ve been in an environment which you’ve not been able to control so much?”

All three panel participants expressed strong views on the need for more board involvement in cyber security. There are still board members who are not cyber literate, the panellists said, which could create unnecessary risks for the companies those individuals help to steer.

“I can think of many instances where senior people on the board will have been asked ‘Do you do pen testing?’ or ‘Do you do red-teaming?’ And, often, the response is: ‘I don’t know – what’s that? You need to go and ask IT,’” said Johnson.

“We need to improve the cyber vocabulary within the board, in the same way that we have with finance. You wouldn’t have somebody on the board saying ‘I don’t know what an accrual is’ or a prepayment. It goes part and parcel with the responsibility of being on the board, and the same thing needs to happen with cyber.”

Boards should be educated, Johnson pointed out, not only for business purposes – board members are likely targets of hacking themselves.

“For an adversary targeting a financial institution, everyone is fair game,” he explained. “The chief executive is fair game, the supply chain is fair game, so are spouses and children [of staff]. The conversation can’t be in the confines of IT – it has to resonate all the way up to the board.”

Craig Rice, director of cyber resilience and chief information security officer at Aviva, agreed that the boards of finance companies should become better informed, but said that a given firm’s cyber-security experts should work on educating their senior leadership. The coronavirus has made the need for such high-level tech literacy clear, the panel agreed.

Editing by Tom Osborn